Some corrected URLs for the candidates:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0317http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0818
As an addendum, patches that are described in *source code* are much
more concrete and often give enough details for one to distinguish
between two problems, so I believe they can play a factor in this. If
you see a patch that cleanses user input before feeding it to a
system() call, and changing a strcpy() to a strncpy() at some
different point in the code, then I'd say that's pretty good evidence
that they were patching a buffer overflow problem and a shell
metacharacter problem, which according to CD:SF-LOC should thus be
separated.
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0001 for an
example in which a sparsely worded advisory is distinguished from
other candidates by looking at the patches. Yes, the very first
candidate ever assigned has been held up by content decisions and lack
of information! ;-)
- Steve